New Trojan
From: Jay Castaldo (fupayme2003_at_hotmail.com)
Date: 10/25/03
- Previous message: David Gillett: "RE: [inbox] RE: Bogus DNS traffic"
- Next in thread: Harlan Carvey: "Re: New Trojan"
- Reply: Harlan Carvey: "Re: New Trojan"
- Maybe reply: Jerry Heidtke: "RE: New Trojan"
- Maybe reply: Grzegorz: "Re: New Trojan"
- Maybe reply: sean_at_a2.com.au: "Re: New Trojan"
- Reply: Rob Shein: "RE: New Trojan"
- Maybe reply: Jay Castaldo: "Re: New Trojan"
- Reply: Damian Gerow: "Re: New Trojan"
- Maybe reply: Tran, John: "RE: New Trojan"
- Maybe reply: Harlan Carvey: "RE: New Trojan"
- Maybe reply: Matt Vaughan: "RE: New Trojan"
- Maybe reply: Jay Castaldo: "Re: New Trojan"
- Maybe reply: Damian Gerow: "Re: New Trojan"
- Maybe reply: Thompson, Jason: "RE: New Trojan"
- Maybe reply: David LeBlanc: "RE: New Trojan"
- Maybe reply: James C. Slora, Jr.: "RE: New Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 25 Oct 2003 08:18:01 -0000 To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is)
I don't know if this is a new trojan or anything, but I have tried doing some research on the Internet and couldn't find anything on it. Well it has two registry entries in my Run, and RunOnce. Here is the name of both keys acbdhpd and the values are pointing to a file1129 I can not seem to find rundll32 C:\WINNT\system32:acbdhpd.dll,Init 1. I tried killing my explorer.exe to see if that is reason I can't find it because I am most likely using a trojanized explorer.exe, but I could only find a copy in my temp, I delete through DOS and delete the registry entries to no success, the registry keys appear within 30 seconds and the file pops right back up. Anybody seen this or can give me some help to get this out without reloading? It has also opened up two TCP, 3799, and 41225 and two UDP ports, 1129, 1241. Thanks
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
- Previous message: David Gillett: "RE: [inbox] RE: Bogus DNS traffic"
- Next in thread: Harlan Carvey: "Re: New Trojan"
- Reply: Harlan Carvey: "Re: New Trojan"
- Maybe reply: Jerry Heidtke: "RE: New Trojan"
- Maybe reply: Grzegorz: "Re: New Trojan"
- Maybe reply: sean_at_a2.com.au: "Re: New Trojan"
- Reply: Rob Shein: "RE: New Trojan"
- Maybe reply: Jay Castaldo: "Re: New Trojan"
- Reply: Damian Gerow: "Re: New Trojan"
- Maybe reply: Tran, John: "RE: New Trojan"
- Maybe reply: Harlan Carvey: "RE: New Trojan"
- Maybe reply: Matt Vaughan: "RE: New Trojan"
- Maybe reply: Jay Castaldo: "Re: New Trojan"
- Maybe reply: Damian Gerow: "Re: New Trojan"
- Maybe reply: Thompson, Jason: "RE: New Trojan"
- Maybe reply: David LeBlanc: "RE: New Trojan"
- Maybe reply: James C. Slora, Jr.: "RE: New Trojan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
